%22%3E%3Cstop%20offset%3D%220%25%22%20stop-color%3D%22%231e1b4b%22%2F%3E%3Cstop%20offset%3D%22100%25%22%20stop-color%3D%22%234f46e5%22%20stop-opacity%3D%220.6%22%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D%22800%22%20height%3D%22200%22%20fill%3D%22url(%23bg)%22%2F%3E%3Ccircle%20cx%3D%22339%22%20cy%3D%22160%22%20r%3D%22124%22%20fill%3D%22%234f46e5%22%20opacity%3D%220.17%22%2F%3E%3Ccircle%20cx%3D%22571%22%20cy%3D%2214%22%20r%3D%22167%22%20fill%3D%22%234f46e5%22%20opacity%3D%220.25%22%2F%3E%3Ccircle%20cx%3D%22641%22%20cy%3D%22183%22%20r%3D%22125%22%20fill%3D%22%234f46e5%22%20opacity%3D%220.30%22%2F%3E%3Ccircle%20cx%3D%22778%22%20cy%3D%22150%22%20r%3D%2242%22%20fill%3D%22%23818cf8%22%20opacity%3D%220.21%22%2F%3E%3Ccircle%20cx%3D%22791%22%20cy%3D%22114%22%20r%3D%2241%22%20fill%3D%22none%22%20stroke%3D%22%234f46e5%22%20stroke-width%3D%223.7%22%20opacity%3D%220.20%22%2F%3E%3Crect%20x%3D%22322%22%20y%3D%2269%22%20width%3D%2224%22%20height%3D%2228%22%20rx%3D%224%22%20fill%3D%22%23818cf8%22%20opacity%3D%220.21%22%20transform%3D%22rotate(-2%20322%2069)%22%2F%3E%3Crect%20x%3D%22252%22%20y%3D%22106%22%20width%3D%2294%22%20height%3D%2262%22%20rx%3D%2210%22%20fill%3D%22%234f46e5%22%20opacity%3D%220.28%22%20transform%3D%22rotate(-25%20252%20106)%22%2F%3E%3Cpolygon%20points%3D%2237%2C127%2044%2C109%2017%2C121%22%20fill%3D%22%23818cf8%22%20opacity%3D%220.37%22%2F%3E%3Ccircle%20cx%3D%2270%22%20cy%3D%2255%22%20r%3D%223%22%20fill%3D%22%23818cf8%22%20opacity%3D%220.80%22%2F%3E%3Ccircle%20cx%3D%22384%22%20cy%3D%22177%22%20r%3D%227%22%20fill%3D%22%23818cf8%22%20opacity%3D%220.71%22%2F%3E%3Ccircle%20cx%3D%22150%22%20cy%3D%225%22%20r%3D%223%22%20fill%3D%22%23818cf8%22%20opacity%3D%220.42%22%2F%3E%3Ccircle%20cx%3D%22785%22%20cy%3D%22168%22%20r%3D%226%22%20fill%3D%22%23818cf8%22%20opacity%3D%220.48%22%2F%3E%3C%2Fsvg%3E)
Introduction
Blind signing is the act of approving a blockchain transaction without being able to verify what it actually does. On networks where wallets cannot natively understand token operations — including Ethereum and most EVM-compatible chains — transactions are presented to users as opaque hexadecimal strings. Users and AI agents sign what amounts to a blank check, trusting that the dApp frontend is honestly representing the transaction's intent.
The Radix Knowledge Base identifies blind signing as the root cause of many hacks across Web3 and DeFi. Radix eliminates the problem entirely through transaction manifests — declarative, human-readable instructions that make every operation visible and verifiable before signing.
The Cost of Blind Signing
Blind signing has enabled some of the largest exploits in DeFi history:
Badger DAO (December 2021): An attacker compromised a Cloudflare API key and injected malicious JavaScript into BadgerDAO's frontend. The script silently added unlimited approve() calls to users' transactions. Because wallets displayed these as opaque hex data, 500 wallets unknowingly signed unlimited token approvals. The attacker then called transferFrom() to drain $120 million. One victim reportedly lost $50 million in a single transaction. The smart contracts worked correctly — the exploit was entirely at the signing layer.
Wallet Drainer Campaigns: In 2024, wallet drainer phishing stole $494 million from approximately 332,000 victims, with 85.3% of losses on Ethereum. Thirty incidents exceeded $1 million each. Permit and Permit2 approval signatures — designed to improve the approval UX — have become a primary phishing vector, accounting for 38% of high-value losses.
The fundamental issue is architectural: on chains without native token understanding, wallets cannot display meaningful transaction previews. Users and agents must trust the frontend, the RPC provider, and every intermediary in the signing pipeline.
How Transaction Manifests Work
A Radix transaction manifest is a sequence of instructions that describe exactly what a transaction will do. Each instruction is explicit:
CALL_METHOD— invoke a specific method on a named componentwithdraw— remove a specified amount of a named resource from an accountdeposit_batch— deposit all resources on the worktop into an accountlock_fee— reserve XRD for transaction fees
Resources flow through a temporary holding area called the "worktop" during execution. Every resource withdrawn must be deposited somewhere — the Radix Engine enforces that all buckets are empty at transaction end. No resources can be lost, orphaned, or left unaccounted for.
Manifests can include assertions — for example, guaranteeing that the signer will receive at least a minimum amount of a specific resource. If any assertion is violated, the entire transaction reverts atomically. An AI agent can encode its expected outcomes directly into the manifest, making manipulation detectable and rejectable at the protocol level.
Manifest Types
The Radix Wallet recognizes conforming manifest types and displays tailored transaction previews for each:
- Transfer — simple resource transfers between accounts
- Stake / Unstake — validator staking operations
- Claim — claiming staking rewards or other entitled resources
- Account Deposit Settings — configuring account deposit rules
Because Radix has native assets, the wallet knows what every resource is — its name, symbol, and icon — and can display it meaningfully. EVM wallets can only show raw contract addresses and hex-encoded function calls.
With the Cuttlefish upgrade, subintents extend this model to multi-party transactions. Each participant signs their own sub-manifest, which is then assembled into a complete atomic transaction. Every party verifies only what they are authorizing.
Why AI Agents Need Readable Transactions
An AI agent operating autonomously on-chain is in a worse position than a human when it comes to blind signing. A human might recognize a suspicious dApp or get a gut feeling about a phishing site. An agent has no such intuition — it can only verify what its inputs formally describe.
On EVM chains, an agent receiving a transaction to sign gets ABI-encoded calldata. Even with ABI decoding, the agent cannot guarantee that the contract's runtime behavior matches the function signature — proxy contracts, delegatecall patterns, and upgradeable contracts all obscure actual execution logic.
On Radix, the same agent receives a manifest listing every operation in plain text: which resources leave its account, which components are called, what assertions must hold, and what resources it expects to receive. The agent can verify intent at the transaction level, not the contract level. This is the difference between signing a blank check and signing an itemized invoice.